New York Passes SHIELD Act to Protect New Yorkers Against Data Breaches

Data Breach

Written By ESR News Blog Editor Thomas Ahearn

On July 25, 2019, New York Governor Andrew M. Cuomo signed the Stop Hacks and Improve Electronic Data Security Act or SHIELD Act (S.5575B/A.5635) into law to protect New Yorkers against data breaches by imposing stronger obligations on businesses handling private customer data to provide proper notification of security breaches, according to a news story on the Governor’s website.

Sponsored by New York State Senator Kevin Thomas (D) 6th Senate District, the SHIELD Act – which takes effect 240 days after becoming law – will strengthen New York’s outdated data breach notification law that has not kept pace with current technology. The bill imposes stronger obligations on businesses handling private data of customers regarding security and proper notification of data breaches by:

  • Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
  • Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
  • Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
  • Expanding the definition of a data breach to include unauthorized access to private information; and
  • Creating reasonable data security requirements tailored to the size of a business.

In late July of 2017, Equifax Inc. – one of the three main credit reporting agencies (CRAs) in the United States – experienced a major data breach involving personal information such as social security numbers (SSNs) that impacted approximately 147 million consumers who were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own.

On July 22, 2019, Governor Cuomo, the State Department of Financial Services, and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach.

“The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data,” said Governor Cuomo, who also signed A.2374/S.3582 to require CRAs to offer identity theft services to consumers affected by data breaches that takes effect 60 days after becoming law.

The singing of the SHIELD Act comes days after the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) announced a settlement with Equifax that will provide up to $700 million in monetary relief and penalties for the 2017 data breach. The CFPB alleged in its complaint that Equifax violated the law in several ways through its conduct both before and after the data breach.

Concerns over well-publicized data breaches have led to an increased focus on information security for background screening firms in 2019. This trend was chosen by leading global background check provider Employment Screening Resources® (ESR) as first on the list of “ESR Top Ten Background Check Trends” for 2019 that is available at www.esrcheck.com/Tools-Resources/ESR-Top-Ten-Background-Check-Trends/.

Employers conducting background checks are looking for screening firms to have certifications such as SSAE 18 SOC 2® Type 2 reports and accreditation from the National Association of Professional Background Screeners (NAPBS). U.S. screening firms conducting international background checks must also comply with the EU-U.S. and Swiss-U.S. Privacy Shield Framework and the General Data Protection Regulation (GDPR).

Employment Screening Resources® (ESR) – which is headquartered in Northern California – is accredited by the NAPBS, undergoes annual SOC 2® audits, participates in the EU-U.S. and Swiss-U.S. Privacy Shield Framework, and has fully compliant GDPR technology. ESR also won the 2018 TekTonic Award from HRO Today Magazine for innovative and disruptive screening technology. To learn more, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.